Commit 0d81092a authored Oct 25, 2023 by Lee, Chun-Yi Committed by Wang Yufen Oct 25, 2023

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

mainline inclusion
from mainline-v6.6-rc1
commit 9c33663a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6YOAU
CVE: CVE-2023-31083

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c33663af9ad115f90c076a1828129a3fbadea98



--------------------------------

This patch adds code to check HCI_UART_PROTO_READY flag before
accessing hci_uart->proto. It fixes the race condition in
hci_uart_tty_ioctl() between HCIUARTSETPROTO and HCIUARTGETPROTO.
This issue bug found by Yu Hao and Weiteng Chen:

BUG: general protection fault in hci_uart_tty_ioctl [1]

The information of C reproducer can also reference the link [2]

Reported-by: Yu Hao <yhao016@ucr.edu>
Closes: https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/

 [1]
Reported-by: Weiteng Chen <wchen130@ucr.edu>
Closes: https://lore.kernel.org/lkml/CA+UBctDPEvHdkHMwD340=n02rh+jNRJNNQ5LBZNA+Wm4Keh2ow@mail.gmail.com/T/

 [2]
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>

parent d67a9a26

drivers/bluetooth/hci_ldisc.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -772,7 +772,8 @@ static int hci_uart_tty_ioctl(struct tty_struct tty, struct file file,
		break;

		case HCIUARTGETPROTO:
		if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
		if (test_bit(HCI_UART_PROTO_SET, &hu->flags) &&
		test_bit(HCI_UART_PROTO_READY, &hu->flags))
		err = hu->proto->id;
		else
		err = -EUNATCH;